[ipv6hackers] New IETF I-D: "Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks"

Fernando Gont fgont at si6networks.com
Tue Jun 5 15:33:40 CEST 2012


We have just published a new IETF I-D, entitled "Neighbor Discovery
Shield (ND-Shield): Protecting against Neighbor Discovery Attacks". This
is probably the last missing piece of the "ND mitigation" puzzle (the
others being RA-Guard and DHCPv6-Shield). This one mitigates attack
vectors based on RS, NS, NA, and Redirect messages.

The I-D is available at:

For this version in particular, I'm mostly interested in hearing your
thoughts about the issues raised in the "DISCLAIMER" section -- although
detailed feedback is always welcome.


Best regards,

-------- Original Message --------
Subject: New Version Notification for draft-gont-opsec-ipv6-nd-shield-00.txt
Date: Tue, 05 Jun 2012 06:05:24 -0700
From: internet-drafts at ietf.org
To: fgont at si6networks.com

A new version of I-D, draft-gont-opsec-ipv6-nd-shield-00.txt has been
successfully submitted by Fernando Gont and posted to the IETF repository.

Filename:	 draft-gont-opsec-ipv6-nd-shield
Revision:	 00
Title:		 Neighbor Discovery Shield (ND-Shield): Protecting against
Neighbor Discovery Attacks
Creation date:	 2012-06-05
WG ID:		 Individual Submission
Number of pages: 22

   This document specifies a mechanism that can be implemented in
   layer-2 devices to mitigate attack vectors based on Neighbor
   Discovery messages.  It is meant to complement other mechanisms
   implemented in layer-2 devices such as Router Advertisement Guard
   (RA-Guard) and DHCPv6-Shield, with the goal of achieving a
   comprehensive IPv6 First Hop Security solution.  This document is
   motivated by the desire to achieve feature parity with IPv4 with
   respect to First Hop Security mechanisms.

The IETF Secretariat

More information about the Ipv6hackers mailing list